001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.log.Log;
018 import com.liferay.portal.kernel.log.LogFactoryUtil;
019 import com.liferay.portal.kernel.servlet.HttpHeaders;
020 import com.liferay.portal.kernel.util.Base64;
021 import com.liferay.portal.kernel.util.CharPool;
022 import com.liferay.portal.kernel.util.GetterUtil;
023 import com.liferay.portal.kernel.util.MapUtil;
024 import com.liferay.portal.util.Portal;
025 import com.liferay.portlet.login.util.LoginUtil;
026
027 import java.util.Properties;
028 import java.util.StringTokenizer;
029
030 import javax.servlet.http.HttpServletRequest;
031 import javax.servlet.http.HttpServletResponse;
032
033
066 public class BasicAuthHeaderAutoLogin
067 extends BaseAutoLogin implements AuthVerifier {
068
069 public String getAuthType() {
070 return HttpServletRequest.BASIC_AUTH;
071 }
072
073 public AuthVerifierResult verify(
074 AccessControlContext accessControlContext, Properties properties)
075 throws AuthException {
076
077 try {
078 AuthVerifierResult authVerifierResult = new AuthVerifierResult();
079
080 String[] credentials = login(
081 accessControlContext.getRequest(),
082 accessControlContext.getResponse());
083
084 if (credentials != null) {
085 authVerifierResult.setPassword(credentials[1]);
086 authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
087 authVerifierResult.setUserId(Long.valueOf(credentials[0]));
088 }
089 else {
090
091
092
093 boolean forcedBasicAuth = MapUtil.getBoolean(
094 accessControlContext.getSettings(), "basic_auth");
095
096 if (forcedBasicAuth) {
097 HttpServletResponse response =
098 accessControlContext.getResponse();
099
100 response.setHeader(
101 HttpHeaders.WWW_AUTHENTICATE, _BASIC_REALM);
102
103 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
104
105 authVerifierResult.setState(
106 AuthVerifierResult.State.INVALID_CREDENTIALS);
107 }
108 }
109
110 return authVerifierResult;
111 }
112 catch (AutoLoginException e) {
113 throw new AuthException(e);
114 }
115 }
116
117 @Override
118 protected String[] doLogin(
119 HttpServletRequest request, HttpServletResponse response)
120 throws Exception {
121
122
123
124 String authorization = request.getHeader("Authorization");
125
126 if (authorization == null) {
127 return null;
128 }
129
130 StringTokenizer st = new StringTokenizer(authorization);
131
132 if (!st.hasMoreTokens()) {
133 return null;
134 }
135
136 String basic = st.nextToken();
137
138
139
140 if (!basic.equalsIgnoreCase(HttpServletRequest.BASIC_AUTH)) {
141 return null;
142 }
143
144 String encodedCredentials = st.nextToken();
145
146 if (_log.isDebugEnabled()) {
147 _log.debug("Encoded credentials are " + encodedCredentials);
148 }
149
150 String decodedCredentials = new String(
151 Base64.decode(encodedCredentials));
152
153 if (_log.isDebugEnabled()) {
154 _log.debug("Decoded credentials are " + decodedCredentials);
155 }
156
157 int pos = decodedCredentials.indexOf(CharPool.COLON);
158
159 if (pos == -1) {
160 return null;
161 }
162
163 String login = GetterUtil.getString(
164 decodedCredentials.substring(0, pos));
165 String password = decodedCredentials.substring(pos + 1);
166
167 long userId = LoginUtil.getAuthenticatedUserId(
168 request, login, password, null);
169
170 String[] credentials = new String[3];
171
172 credentials[0] = String.valueOf(userId);
173 credentials[1] = password;
174 credentials[2] = Boolean.TRUE.toString();
175
176 return credentials;
177 }
178
179 private static final String _BASIC_REALM =
180 "Basic realm=\"" + Portal.PORTAL_REALM + "\"";
181
182 private static Log _log = LogFactoryUtil.getLog(
183 BasicAuthHeaderAutoLogin.class);
184
185 }